Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Image001.exe
Resource
win7v20210410
General
-
Target
Image001.exe
-
Size
231KB
-
MD5
4ea509c18030b4e71413f2b2bd3b989c
-
SHA1
5ba34126a4a502bf6e5305c1e647fcf4a7488677
-
SHA256
c0ebfff80d42551c1a910f2c7b8c08af384e5ccf49c979b7bf664e6c1b731607
-
SHA512
864dfbe7e07fa4fcf15b487b6c41d20aad5c90d56518f305d8eeb2229ca3e28a9728c2ae5ef4e362d10d7f9a93996f0b67b61e8b5e224b89911152fa1a9db518
Malware Config
Extracted
formbook
4.1
http://www.riceandginger.com/fcn/
bellee-select.com
unlock-motorola.com
courtneyrunyon.com
hnzywjz.com
retrievingbest.net
ayescarrental.com
beyoutifulblessings.com
heritagediscovery.net
fasoum.com
wbz.xyz
lownak.com
alinkarmay.com
coffeyquiltco.com
validdreamers.com
yuksukcu.club
buildnextfrc.com
avantfarme.com
xyfs360.com
holisticpacific.com
banejia.com
champsn.com
ebitit.com
esseneceedibles.com
findmyautoparts.com
belenusadvisory.net
esrise.net
lovewillfindaway.net
chienluocmarketing.net
greenbelieve.com
shopyourgift.com
theweddingofshadiandmike.com
greenstavern.com
klinku.com
norastravel.com
team5thgroup.com
ohrchadash.com
hauteandcood.com
ap-333.com
jonathantyar.com
robertabraham.com
citestaccnt1597691130.com
665asilo.com
deerokoj.com
ezcovid19.com
heritageivhoa.com
ultraprecisiondata.com
alkiefsaudi.com
camelliaflowers.space
clickqrcoaster.com
ponorogokita.com
stainlesslion.com
china-ymc.com
littner.xyz
houseof2.com
metabolytix.com
1000-help6.club
another-sc.com
suafrisolac.com
whitetreechainmail.com
amazon-service-app-account.com
cruiseameroca.com
yaxett.net
adsmat.com
afternoontravel.site
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-68-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1552-71-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Image001.exepid process 1420 Image001.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Image001.exeImage001.exewscript.exedescription pid process target process PID 1420 set thread context of 1200 1420 Image001.exe Image001.exe PID 1200 set thread context of 1288 1200 Image001.exe Explorer.EXE PID 1552 set thread context of 1288 1552 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Image001.exewscript.exepid process 1200 Image001.exe 1200 Image001.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe 1552 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Image001.exeImage001.exewscript.exepid process 1420 Image001.exe 1200 Image001.exe 1200 Image001.exe 1200 Image001.exe 1552 wscript.exe 1552 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Image001.exewscript.exedescription pid process Token: SeDebugPrivilege 1200 Image001.exe Token: SeDebugPrivilege 1552 wscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Image001.exeExplorer.EXEwscript.exedescription pid process target process PID 1420 wrote to memory of 1200 1420 Image001.exe Image001.exe PID 1420 wrote to memory of 1200 1420 Image001.exe Image001.exe PID 1420 wrote to memory of 1200 1420 Image001.exe Image001.exe PID 1420 wrote to memory of 1200 1420 Image001.exe Image001.exe PID 1420 wrote to memory of 1200 1420 Image001.exe Image001.exe PID 1288 wrote to memory of 1552 1288 Explorer.EXE wscript.exe PID 1288 wrote to memory of 1552 1288 Explorer.EXE wscript.exe PID 1288 wrote to memory of 1552 1288 Explorer.EXE wscript.exe PID 1288 wrote to memory of 1552 1288 Explorer.EXE wscript.exe PID 1552 wrote to memory of 1084 1552 wscript.exe cmd.exe PID 1552 wrote to memory of 1084 1552 wscript.exe cmd.exe PID 1552 wrote to memory of 1084 1552 wscript.exe cmd.exe PID 1552 wrote to memory of 1084 1552 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Image001.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss292.tmp\xl19yxkx7ev.dllMD5
021e31cdf92985d3de940632b4229cc2
SHA1e18b54d4c7882a1cad146f921296c1461f1dd37b
SHA2568b67f5fcae3d901b37b4dafc71386cb3c3cf5ca92e91e8d931c4de394b09441b
SHA51291ace46af5fdc23e61dc5800d1bcfd8f9cbdca12c9e79f6fefa52ad51e5a062fcff46296bfadc18fdea577f99690e6d474c9ae90b24f0e4944cab4352a752e42
-
memory/1084-73-0x0000000000000000-mapping.dmp
-
memory/1200-62-0x000000000041EAA0-mapping.dmp
-
memory/1200-64-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1200-65-0x00000000003E0000-0x00000000003F4000-memory.dmpFilesize
80KB
-
memory/1200-68-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1288-75-0x0000000007350000-0x00000000074BE000-memory.dmpFilesize
1.4MB
-
memory/1288-67-0x0000000006B30000-0x0000000006C6D000-memory.dmpFilesize
1.2MB
-
memory/1420-63-0x00000000024C0000-0x000000000310A000-memory.dmpFilesize
12.3MB
-
memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1552-71-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1552-70-0x0000000000BE0000-0x0000000000C06000-memory.dmpFilesize
152KB
-
memory/1552-72-0x0000000002010000-0x0000000002313000-memory.dmpFilesize
3.0MB
-
memory/1552-69-0x0000000000000000-mapping.dmp
-
memory/1552-74-0x0000000000930000-0x00000000009C3000-memory.dmpFilesize
588KB